Monday, August 30, 2010

Privacy interests to be considered in publication ban

A long-time friend of this blog just recently sent me a link to a new decision from the British Columbia Supreme Court (R. v. Pickton, 2010 BCSC 1198 ), in which the Court was asked to issue a publication ban to protect the identity of an individual witness for reasons of privacy.

The individual applicant had previously been a sex worker and drug addict. In 1997, police laid a charge against Robert Pickton, alleging that he had attempted to murder her but the prosecution was discontinued. Her evidence is relevant in the current proceeding against Robert Pickton. No publication ban was entered at the time of the 1997 prosecution.

Since then, the applicant has left the sex trade and is no longer a drug user. She is married, has kids and appears to be living a normal life in the lower mainland of British Columbia.

She brought an application to prevent her name from being disclosed during the current prosecution of Pickton. The application was strongly opposed by the media.

When dealing with publication bans, the courts take their lead from Dagenais v. Canadian Broadcasting Corp., [1994] 3 S.C.R. 835, 1994 CanLII 39 (S.C.C.) and R. v. Mentuck, 2001 SCC 76, [2001] 3 S.C.R. 442, neither of which explicitly address privacy interests.

A publication ban should only be ordered when:

(a) such an order is necessary in order to prevent a serious risk to the proper administration of justice because reasonably alternative measures will not prevent the risk; and

(b) the salutary effects of the publication ban outweigh the deleterious effects on the rights and interests of the parties and the public, including the effects on the right to free expression, the right of the accused to a fair and public trial, and the efficacy of the administration of justice.

In this case, the media argued that the applicant was only "about embarrassment and nothing more". They suggested that her interests could be protected by changing her name.

Justice Williams did not agree:

[20] I am satisfied that the Applicant will suffer a significant breach of privacy if her name is not protected by a publication ban and that this impacts on her personal security and that of her family. The privacy interests of the Applicant are a legitimate aspect of the proper administration of justice and must be considered in the analysis. The Respondents’ submission that the Applicant’s privacy interests are insufficient seems contrary to a number of authorities including the Criminal Code provisions which deal with publication restrictions for victims and witnesses. These provisions expressly recognize the privacy interests of the victims and witnesses. The concept of dignity springs to mind. Although it is nowhere mentioned in the subsection, I cannot believe that it is not a factor worthy of some consideration in the analysis.

Given that the media are free to report on all the details of her previous encounter with Pickton and of any evidence she has given more recently, but without her name, the balance tilted in favour of protecting her identity.

[28] The Applicant, having participated in the proceedings against Mr. Pickton requests that she be able to live in her community free from the public scrutiny that will arise if her name and identity are published. She does not seek to prevent the details of her story from being published. In my view, granting the Applicant’s request achieves the proper balance that the Dagenais-Mentuk framework requires between the open court principle and the proper administration of justice. The temporary publication ban which has thus far protected the Applicant has been shown to minimally impair the ability of the Respondents to perform their function. The publication ban respects the open court principle and allows the public to scrutinize this proceeding. The publication ban protects the proper administration of justice because it permits the Applicant’s story to be told in a way that illustrates that the justice system respects, where possible, the privacy interests of victims and witnesses of crime.

Friday, August 27, 2010

Alberta Commissioner launches investigation into medical identity theft

This is the first Canadian case of "medical identity theft" or impersonation that I've seen widely reported:

CBC News - Calgary - Mistaken identity case sparks investigation

Alberta's privacy commissioner has announced an investigation into the "Golo" identity case.

Golo is the nickname of a man who was admitted into Foothills Hospital, died on May 21, 2009, and then was buried in a Calgary cemetery, all under someone else's identity.

He allegedly used an Alberta Health Care card stolen from a casual acquaintance.

The investigation will examine "what steps are reasonable to take to ensure health information is accurate and complete before it is used by a health services provider," according to a news release from the information and privacy commissioner's office.

A report will be released to the public once the investigation is completed.

Calgary police are still trying to determine Golo's identity.

Wednesday, August 25, 2010

Privacy Commissioner v Facebook: Next chapter imminent

You may recall that last year, following a high-profile complaint made against Facebook by the Canadian Internet Policy and Public Interest Clinic, the Privacy Commissioner of Canada gave Facebook a year to get its house in order. In particular, the social networking site told the Commissioner that it would take about a year to address issues regarding third party applications on the Facebook platform and the handling of accounts of deceased users.

A year has passed and the media are reporting that there may be a showdown brewing. It is suggested that if the Commissioner is not satisfied with what Facebook is doing today, it's off to court: Privacy czar set to hand down Facebook ruling.

I'm not sure it's as dire as that, but it will be interesting to see what transpires in the coming days.

It should also be borne in mind that the Commissioner is an ombuds(wo)man. If she goes to court, it's a de novo hearing, so the matter starts all over at the very beginning. Factoring in "Internet time", what Facebook was doing a year ago seems like pre-history.

Update: CIPPIC says that Facebook still falls short of its Canadian obligations, according to an article at ITBusiness.ca.

Tuesday, August 24, 2010

Elizabeth Denham says federal OPC may need greater enforcement powers

Elizabeth Denham, former Assistant Privacy Commissioner of Canada was recently interviewed by itbusiness.ca saying that the Federal Commissioner's office may need augmented powers to deal with privacy enforcement in the modern age. The OPC has hired two academics to re-examine the ombudsman model that the office currently follows and to look at alternatives.

See the article and video interview here: Privacy watchdog needs sharper teeth.

Facebook to be off-limits to German employers

According to Spiegel, the German government is currently working on an addition to the country's data protection laws that will prevent employers from using Facebook to screen prospective employees, but most other internet-derived information will be fair game:

Saving Jobseekers from Themselves: New Law to Stop Companies from Checking Facebook Pages in Germany - SPIEGEL ONLINE - News - International

But those Facebook users hoping to apply for a job in Germany should pause for a moment before they hit the "deactivate account" button. The government has drafted a new law which will prevent employers from looking at a job applicant's pages on social networking sites during the hiring process.

According to reports in the Monday editions of the Die Welt and Süddeutsche Zeitung newspapers, Interior Minister Thomas de Maizière has drafted a new law on data privacy for employees which will radically restrict the information bosses can legally collect. The draft law, which is the result of months of negotiations between the different parties in Germany's coalition government, is set to be approved by the German cabinet on Wednesday, according to the Süddeutsche Zeitung.

Although the new law will reportedly prevent potential bosses from checking out a candidate's Facebook page, it will allow them to look at sites that are expressly intended to help people sell themselves to future employers, such as the business-oriented social networking site LinkedIn. Information about the candidate that is generally available on the Internet is also fair game. In other words, employers are allowed to google potential hires. Companies may not be allowed to use information if it is too old or if the candidate has no control over it, however.

Tuesday, August 17, 2010

Auto finance company scopes GPS tracking and borrower profiling

When I first saw this headline referring to GPS tracking, I assumed that a car finance company would want GPS on vehicles to make it easier to repossess the car if the borrower defaults. That's intrusive, but makes sense. The finance company essentially owns the vehicle until it's paid off, so maybe it's reasonable for it to know where it is.

But not so, according to the article (Auto finance company scopes GPS tracking - Computerworld). An auto finance company is quietly making inquiries in the United States about whether it can use GPS on vehicles to track, profile and categorize the driver to evaluate the risk of the underlying loan so the loan can be sold on on the secondary market.

Saturday, August 14, 2010

Federal Commissioner settles ID-swiping dispute

The Privacy Commissioner of Canada just recently announced a settlement has been reached in its application to the Federal Court to stop Canad Corporation of Manitoba from ID-swiping patrons of its nightclubs. This followed an investigation by the OPC that recommended the practice be terminated and that the data collected be destroyed. Canad refused to follow the OPC's advice, so the Commissioner commenced an application to the Court to have the matter dealt with there.

Here's the summary from the Commissioner's site.

Recent Court Activity

Settlement between the Privacy Commissioner of Canada and Canad Corporation of Manitoba Ltd.

Legal Update

The Privacy Commissioner of Canada has reached a settlement with the Canad Corporation of Manitoba Ltd (Canad Inns), a hotel chain that operates a number of night clubs in Manitoba. This settlement follows legal proceedings stemming from an investigation into the collection of personal information of bar patrons using a machine that copies and stores personal information appearing on the front of an identification card such as a driver’s licence.

The Office of the Privacy Commissioner’s investigation was prompted by a complaint from a Canad Inns customer who objected to having her licence information scanned.

The Privacy Commissioner’s office understood Canad Inns’ need to effectively verify the age of its patrons and to ensure an appropriate level of security in its night clubs. In addition to the identification machines, Canad Inns also used video surveillance, metal detectors, pat downs, security personnel and lists of banned people in order to secure the safety of patrons.

The investigation ultimately concluded that the machines collected more information than was necessary for those stated purposes and that the information collected was being retained for too long.

Canad Inns disagreed with recommendations to stop using the machines and to remove the personal information already collected by them.

As a result, the Privacy Commissioner filed a notice of application before the Federal Court to enforce the recommendations.

Following court-ordered mediation in early 2009, the Court gave Canad Inns a period of time to determine feasible means to limit the personal information it collects.

As part of the settlement between Canad Inns and the Privacy Commissioner, the company has made commitments to:

  • Stop collecting personal information at its night clubs via its identification machines;
  • Destroy the personal information collected with the machines; and
  • Limit the amount of personal information found on its list of barred people and ensure that this information is adequately secured.

The Office of the Privacy Commissioner of Canada is pleased that Canad Inns has agreed to take steps to ensure that the privacy rights of its patrons are respected.

The Privacy Commissioner has agreed that it would not be unreasonable for Canad Inns to collect limited personal information (names, dates of birth and photos) from bar patrons and to retain that personal information for 24 hours. This is a similar approach to that taken in both British Columbia and Alberta, where provincial privacy commissioners have investigated similar issues.

A case summary of the Office of the Privacy Commissioner of Canada’s investigation is also available at: http://www.priv.gc.ca/cf-dc/2008/396_20080227_e.cfm.

Friday, August 06, 2010

Access right survives requester

Dan Michaluk has a good summary of a very recent Federal Court of Canada case that found an access request (and the right to bring an application to the court) survives the death of the relevant individual. See: Case Report – Federal Court addresses effect of requester’s death on a denied access request � All About Information, about Canadian Association of Elizabeth Fry Societies v. Canada (Public Safety and Emergency Preparedness), 2010 FC 470 (CanLII).

US Government enters Blackberry security debate

The US State Department is wading into the Blackberry security debate already discussed below. They hope to reach a compromise, which hopefully will not compromise the security of the devices. See: State Dept. wades into foreign BlackBerry ban.

Sunday, August 01, 2010

UAE to ban Blackberry: Devices are too hard to tap

According to the New York Times, the United Arab Emirates is poised to ban e-mail and internet use on Blackberry devices for "security issues". The security issue is that the devices are too difficult to monitor. See: U.A.E. Is to Bar BlackBerry E-Mail Over Security Issues - NYTimes.com.